Question 19 - Netskope NSK101 Real Exam Questions [Jan 2026 Update]

Q: 19

When accessing an encrypted website (HTTPS), what is a reason why you might receive a "certificate not trusted" browser message?

Options

Correct Answer:

Explanation

A "certificate not trusted" browser message appears when the browser cannot validate the server's digital certificate against its built-in list of trusted Certificate Authorities (CAs). A self-signed certificate is one that is signed by its own creator's private key rather than by a trusted third-party CA. Because the issuer is not a recognized authority in the browser's trust store, the browser cannot establish a valid certification path to a trusted root. This breaks the chain of trust, prompting the browser to warn the user that the site's identity cannot be verified and the connection may be insecure.

Why Incorrect

A. A certificate issued by a trusted Certificate Authority is necessary for a secure, error-free connection, not a cause for a trust error.

C. A public certificate, by definition, is issued by a trusted public CA and is the standard for preventing this type of browser warning.

D. If no certificate is installed, the server cannot establish an HTTPS connection at all, leading to a connection failure, not a certificate trust error.

References

1. Mozilla Developer Network (MDN Web Docs). Server-side TLS. In the section "Certificates

" it is explained that for a browser to accept a certificate

it must be signed by a trusted root certificate authority that is pre-installed in the browser or operating system. A self-signed certificate does not meet this criterion. (Reference: "Server-side TLS

" Section: Certificates).

2. MIT OpenCourseWare. 6.857 Computer and Network Security

Fall 2014

Lecture 17: Public Key Infrastructure. The lecture notes describe the hierarchical trust model of PKI

where a client validates a certificate by checking the signature of the issuer. For a self-signed certificate

the issuer is the subject itself

which is not a pre-configured trust anchor in the client's browser

thus failing validation. (Reference: 6.857 F14

Lecture 17 Notes

pp. 4-6).

3. Internet Engineering Task Force (IETF). RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Section 6.1

"Basic Path Validation

" specifies the algorithm for verifying a certificate chain. A self-signed certificate cannot form a valid path to a trusted root CA unless it has been explicitly configured as a trust anchor on the local system

which is not the default case. (Reference: RFC 5280

Section 6.1).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE